Installing Patches

Installing Patches

Patches are binary code modifications that affect the way Sun-supplied software operates. They can be released by Sun because of previously identified bugs which have been fixed, or because a security exploit has been discovered in a piece of software, and a simple workaround is inadequate to prevent intrusion or disruption of normal system activity. For example, many of the older Solaris daemons suffered from buffer overflow vulnerabilities until recently, where the fixed boundaries on an array are deliberately over-written by a rogue client to crash the system. Many of the system daemons, such as web servers, may be crashed because memory is overwritten with arbitrary values outside the declared size of an array. Without appropriate bounds checking, passing a GET request to a web server of 1025 bytes when the array size is 1024 would clearly result in unpredictable behavior, as the C language does not prevent a program from doing this. Since Solaris daemons are typically written in C, a number have been fixed in recent years to prevent this problem occurring (but you may be surprised at just how often new weaknesses are exposed). Sendmail, IMAP, and POP daemons for Solaris have all experienced buffer overflow vulnerabilities in the past which have required an urgent installation of security patches.

The CDE-based Calendar Manager service may be vulnerable to a buffer overflow attack, as identified in CVE 1999-0320 and 1999-0696. The Calendar Manager is used to manage appointments and other date/time based functions.

The remote administration daemon (sadmind) may be vulnerable to a buffer overflow attack, as described in CVE 1999-0977. The remote administration daemon is used to manage system administration activities across a number of different hosts.

The CVE number matches descriptions of each security issue from the Common Vulnerabilities and Exposures database (http://cve.mitre.org/). Each identified vulnerability will contain a hyperlink back to the CVE database, so that information displayed about every issue is updated directly from the source. New patches and bug fixes are also listed.

To find out information about current patches, sysadmins are directed to the http://www.sunsolve.com/ site. Here, details about current patches for each operating system release can be found. There are two basic types of patches available from SunSolve: single patches and jumbo patches. Single patches have a single patch number associated with them; are generally aimed at resolving a single outstanding issue; and usually insert, delete, or update data in a small number of files. Single patches are also targeted at resolving specific security issues. Each patch is associated with an internal bug number from Sun’s bug database. For example, patch number 108435-01 aims to fix BugId 4318566, involving a shared library issue with the 64-bit C++ compiler.

In contrast, a jumbo patch consists of many single patches that have been bundled together, on the basis of operating system release levels, to ensure that the most common issues for a particular platform are resolved by the installation of the jumbo patch. It’s standard practice to install the current jumbo patch for Solaris 9 once it’s been installed from scratch, or if the system has been upgraded from Solaris 7.

Some of the latest patches released for Solaris 9 include the following:

110322-01: Patch for /usr/lib/netsvc/yp/ypbind

110853-01: Patch for Sun-Fire-880

110856-01: Patch for /etc/inet/services

110888-01 : Patch for figgs

110894-01: Patch for country name

110927-01: Patch for SUNW_PKGLIST

111078-01: Patch Solaris Resource Manager

111295-01: Patch for /usr/bin/sparcv7/pstack and /usr/bin/sparcv9/pstack

111297-01: Patch for /usr/lib/libsendfile.so.1

111337-01: Patch for /usr/sbin/ocfserv

111400-01: Patch for KCMS configure tool

111402-01: Patch for crontab

111431-01: Patch for /usr/lib/libldap.so.4

111439-01: Patch for /kernel/fs/tmpfs

111473-01: Patch for PCI Host Adapter

111562-01: Patch for /usr/lib/librt.so.1

111564-01 Patch for SunPCi 2.2.1

111570-01: Patch for uucp

111588-01: Patch for /kernel/drv/wc

111606-01: Patch for /usr/sbin/in.ftpd

111624-01: Patch for /usr/sbin/inetd

111648-01 Patch for env3test, cpupmtest, ifbtest, and rsctest

111656-01: Patch for socal and sf drivers

111762-01 Patch for Expert3D and SunVTS

One of the most useful guides to the currently available patches for Solaris 9 is the SunSolve Patch Report (ftp://sunsolve.sun.com/pub/patches/Solaris8.PatchReport). This report provides a quick reference to all newly released patches for the platform, as well as updates on previous patches that have now been modified. A list of suggested patches for the platform is also contained in the Report, while recommended security patches are listed separately. Finally, a list of obsolete patches is provided. Some of the currently listed security patches available include the following:

108528-09: Patch for kernel update

108869-06: Patch for snmpdx/mibiisa/libssasnmp/snmplib

108875-09: Patch for c2audit

108968-05: Patch for vol/vold/rmmount

108975-04: Patch for /usr/bin/rmformat and /usr/sbin/format

108985-03: Patch for /usr/sbin/in.rshd

108991-13: Patch for /usr/lib/libc.so.1

109091-04: Patch for /usr/lib/fs/ufs/ufsrestore

109134-19: Patch for WBEM

109234-04: Patch for Apache and NCA

109279-13: Patch for /kernel/drv/ip

109320-03: Patch for LP

109322-07: Patch for libnsl

109326-05: Patch for libresolv.so.2 and in.named

109354-09: Patch for dtsession

109783-01: Patch for /usr/lib/nfs/nfsd

109805-03: Patch for pam_krb5.so.1

109887-08: Patch for smartcard

109888-05: Patch for platform drivers

109892-03: Patch for /kernel/drv/ecpp driver

109894-01: Patch for /kernel/drv/sparcv9/bpp driver

109896-04: Patch for USB driver

109951-01: Patch for jserver buffer overflow

Figure 15-1 shows the main screen on SunSolve that lists all of the available jumbo patches and recommended clusters for Solaris 9.

Figure 15-1: Retrieving patches from SunSolve.

Patch Example

To determine which patches are currently installed on your system, you need to use the showrev command as follows:

From the example shown here, we can see that showrev reports several different properties of each patch installed:

The patch number.

Whether the patch obsoletes a previously released patch (or patches) and which version numbers.

Whether there are any prerequisite patches (and their version numbers) on which the current patch depends.

Whether the patch is incompatible with any other patches.

What standard Solaris packages are affected by installation of the patch.

From one of these examples (106541-15), we can see that it obsoletes a large number of other patches, including 106832-03, 106976-01, 107029-01, 107030-01, 107334-01, 107031-01, 107117-05, 107899-01, 108752-01, 107147-08, and 109104-04. In addition, it depends on patch 107544-02, and is compatible with all other known patches. Finally, it affects a large number of different packages, including SUNWkvm, SUNWcsu, SUNWcsr, SUNWcsl, SUNWcar, SUNWesu, SUNWarc, SUNWatfsr, SUNWscpu, SUNWcpr, SUNWdpl, SUNWhea, SUNWipc, SUNWtoo, SUNWnisu, SUNWpcmci, SUNWpcmcu, SUNWtnfc, SUNWvolu, and SUNWvolr.

patchadd

To install single patches, you simple need to use the patchadd command

# patchadd /patches/106541-15

where /patches is the directory where your patches are downloaded to, and 106541-15 is the name of the patch filename (it should be the same as the patch number).

To add a large number of patches from the same directory, the following command can be used

# patchadd /patches/106541-15 106541-10 107453-01

where 106541-15, 106541-10, and 107453-01 are the patches to be installed. Once the patches have been successfully installed, they can be verified by using the showrev command. For example, to check that patch 106541-15 has been successfully installed, the following command could be used:

# showrev -p | grep 106541-15

patchrm

Patches can be easily removed by using the patchrm command. For example, to remove the patch 106541-15, the following command would be used:

# patchrm 106541-15

If the patch was previously installed, it would now be removed. However, if the patch was not previously installed, the following errors message would be displayed:

Checking installed packages and patches...
Patch 106541-15 has not been applied to this system.
patchrm is terminating.